[Oisf-users] OT: A question about ELK and Suricata

Michael Shirk shirkdog.bsd at gmail.com
Thu Apr 6 13:11:27 UTC 2017

Currently in the FreeBSD ports tree, elasticsearch, logstash and kibana are
all up to version 5, so are you using these ports in your setup?

Michael Shirk
Daemon Security, Inc.

On Apr 6, 2017 9:04 AM, "Oliver Humpage" <oliver at watershed.co.uk> wrote:

> > On 6 Apr 2017, at 13:46, C. L. Martinez <carlopmart at gmail.com> wrote:
> >
> > And my last question: searching over the web to think about how to
> install and implement this solution, I see a lot of people use
> Elasticsearch 2.X/Logstash 2.X/Kibana 3.X or 4.X.. Any technical reason for
> not to use Elasticsearc/Logstash/Kibana 5??
> ELK’s been undergoing a lot of change recently, and it can be quite hard
> work to update the stack due to breaking changes. If you’re starting from
> scratch, though, you’re probably OK to use the latest. (We also run all the
> ELK stuff on FreeBSD, even the Java-based bits - it’s not that bad!)
> As for remote logging... this is general advice rather than
> suricata-specific, but we’ve found RabbitMQ to be a very good solution. If
> a host’s software already has a RabbitMQ plugin (eg pmacct) then it talks
> directly to the logging cluster’s RabbitMQ servers. If not, we use some
> very basic logstash instances in the cluster to receive logs and put them
> straight into RabbitMQ.
> Then some more complicated logstash processes (i.e. with all the
> filters/munging/etc) take messages out of the queue and pump into
> ElasticSearch.
> This all seems to be pretty robust, and also allows for easy
> changes/upgrades to the logstash/ES instances without losing any log lines.
> Oliver.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170406/74d188b5/attachment-0002.html>

More information about the Oisf-users mailing list